The scenario ^
The following figure graphically illustrates the simple, real-world scenario upon which we base our study of DAC:
Our Dynamic Access Control scenario
We have three computers in our test network:
- DCNUGGET: Windows Server 2012 domain controller
- MEMNUGGET: Windows Server 2012 file server that will host DAC-protected shared resources
- CLINUGGET: Windows 8 client computer
If you read through this series, then you’ve performed the following actions in your test environment:
- Defined user claims
- Defined resource properties
- Published the resource property list to your file server
- Created a Central Access Rule and associated it with a Central Access Policy
- Used Group Policy to deploy the Central Access Rule to your file server
- Tagged the target shared folder with resource properties
Our final step in this process is to test user access to the CORPDOCS shared folder.
Testing DAC with Effective Access ^
Connect to your file server, locate your shared folder, and open its Properties sheet. Next, navigate to the Effective Access tab. Click the Resource Properties disclosure arrow to verify that the folder has tagged metadata. I show you the interface in Figure 2.
Viewing Effective Access to a DAC-protected resource
NOTE: You should also navigate to the Central Policy tab and verify that the folder is attached to your published Central Access Policy.
In the Advanced Security Settings dialog box, click Select a user and browse to a representative user account. In my case, I brought up a test user named Jeff Gibson who works in Nashville but not in the RD department.
Viewing a user's effective access
As you can see, you can easily analyze whether the given user is granted or denied access to the DAC-protected resource. What’s even better, Windows shows you whether the access comes from a Central Access Policy, NTFS permissions, or both.
Click the Include a user claim link in the Advanced Security Settings dialog to model how the user’s access changes if his user claims are modified. In my case, I changed Jeff’s claims to match the Nashville location and the RD department.
Taking a look at Figure 4, you’ll observe that my user Jeff Gibson would now have access to the CORPDOCS folder.
Modeling access to DAC resources
For those of us with years of experience managing shared file resources by using share and NTFS permissions, Dynamic Access Control presents us with a learning curve and an altered paradigm toward IT security and least privilege.
However, I think you’d agree with me that, once you get the hang of it, DAC ultimately makes it easier to apply least privilege access in a powerful and flexible way. Be on the lookout for my 4sysops blog post on security auditing; Windows Server 2012 now allows us to track detailed access metadata for DAC resources.
Please see the following online resources if you want some more detail. Please let me know in the comments of this post if you’d like me to develop a full tutorial for Dynamic Access Control deployment.
- Introduction to Windows Server 2012 Dynamic Access Control
- Windows Server 2012 Dynamic Access Control-The Power of “And…”
- Follow me and Learn Windows Server 2012-Dynamic Access Control